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CLAIMS 



What is claimed is: 



A system for monitoring operation of a software 



program^ in a network environment, comprising: 

an execution component for executing the software 
programs, said execution component being coupled to an 
isolatedX network that does not have a direct 
connection\to another network that is not an isolated 
network; \ 

a monitoring component for obtaining information about 
actions performed, by the software program; and 

a network emulation component, coupled to said 
isolated network, fo\ emulating the behavior of at 
least a host providing\network services; wherein 

said execution component\and said network emulation 
component cooperate with ^said isolated network in 
order to elicit a behavior\pf the software program 
that is detectable by said monitoring component. 

2. A system as in claim 1, where said emulation 
component further comprises a server programmed so as to 
return emulated results in response to ay request resulting 
from the software program being executed W said execution 
component . \ 

3. A system as in claim 1, where sa^id emulation 
component is programmed so as to limit access by the 
software program to only certain resources . \ 
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\ 4 . A system as in claim 1, where at least one of said 
emulation component and monitoring component are programmed 
so as to provide information about the performance of the 
softwam program for the purposes of testing, debugging, 
performance profiling, or optimization. 

5. A system as in claim 1, where at least one of said 
emulation component and monitoring component are programmed 
so as to provide information about actions of the software 
program for Vhe purposes of reverse engineering or 
otherwise determining the function and behavior of the 
software progratrL 

6. A system a^ in claim 1, where at least one of said 
emulation component nnd monitoring component are programmed 
so as to provide information about actions of the software 
program for the purposes of detecting a presence of an 
undesirable software entity within the software program. 

7. A system as in olaim 6, wherein the undesirable 
software entity comprises^ at least one of a worm or a 
virus . \ 

8. A system as in claimXe, wherein the undesirable 
software entity comprises a Nworrn that exhibits viral 
characteristics . \ 

9. A system as in claim 1, wheVe the elicited behavior 
of the software program comprises s^elf -replication . 

10. A system as in claim 1, \ where the elicited 
behavior of the software program comprises viral or 
malicious activity. \ 



•11. A system as in claim 2, where said server is 
programmed to determine what result to \return based at 
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.east in part on a result of a corresponding real query 
sent to a corresponding real server on a corresponding 
reaU, non- isolated network. 

t 2 . A system as in claim 2, where said server is 
programmed so as to function as an optimistic host. 

13 . \ A system as in claim 2, where said server 
comprises Nat least one of a real or an emulated Web server. 

14. A system as in claim 2, where said server 
comprises at Yeast one of a real or an emulated http, ftp, 
imap4, pop3 , mjtp, news, ire, chat, smtp, mail or mailbox 
server , 

15. A sysopm as in claim 2, where said server 
comprises at least \pne of a real or an emulated router, 

16. A system \^s in claim 2, where said server 
comprises at least one\pf a real or an emulated DNS, WINS, 
or other Name server, 

17. A system as :lSj claim 2, where said server 
comprises at least one of\ a real or an emulated SNMP 
server . 

18. A system as in cl^im 2, where said server 
comprises at least one of a re^l or an emulated NetBIOS 
server 



19. A system as in claim \2 , where said server 
comprises at least one of a real or ah emulated server that 
operates in accordance with SMB, NES \>r other distributed 
file system protocols. 
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\ 20. A system as in claim 1, where said monitoring 
component comprises a monitor programmed to record certain 
information or types of information that flow across the 
isolated network as a result of the execution of the 
software\ program. 

21. V system as in claim 1, where said monitoring 
component comprises a monitor programmed to record at least 
one of certain operating system level or application level 
activities or\types of activities that occur in real or 
emulated host computers as a result of the execution of the 
software program\ 

22. A system \as in claim 2, where said monitoring 
component comprises V monitor programmed to record at least 
certain activities oV types of activities that occur in 
said server as a resuit of the execution of the software 
program . \ 

23. A system as inXclaim 1, where said monitoring 
component comprises at leaist one event handler programmed 
so as to obtain control when certain events or types of 
events occur. \ 

24. A system as in claim 2\3 , where the certain events 
or types of events comprise at \east one of creation of a 
new file in a filesystem, a receipt of mail, an opening of 
mail, a posting of news, an opening of a new socket 
connection, an execution of a particular application, and 
an alteration of a system registry. \ 

25. A system as in claim 1, wlaere said emulation 
component further comprises a system \activity emulation 
component for emulating typical or speciVic activity on at 
least one of said isolated network and a\real or emulated 
host computer. \ 
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\ 26. A system as in claim 25, where the typical or 
specific activity comprises at least one of sending mail, 
openirag mail, opening or execution of a mail attachment, 
entry of keystrokes, issuing of user commands, execution of 
a particular application, rebooting a real or emulated host 
computer, \ restarting a real or emulated host computer, 
reinitialisation of a real or emulated host computer, 
posting of riews, participation in real-time messaging, and 
a transfer oi£ files. 

27. A sysoem for eliciting a desired behavior from a 
software programs, comprising: 

an emulated ciata communications network having at 
least one emuiSated network server coupled thereto, 
said at least one emulated network server responding 
to requests received from said emulated data 
communications network; 

an emulated host computer coupled to said emulated 
data communications V network, said emulated host 
computer for executing the software program, the 
software program operating to originate requests to 
said emulated data communications network; 

at least one emulated goat\ computer coupled to said 
emulated data communications^ network; and 

at least one monitor for detecting an occurrence of 
the desired behavior in at leasV one of said emulated 
network server, said emulated host computer, and said 
at least one emulated goat computer. 

28. A system as in claim 27, wherein said at least one 
emulated network server operates as an optimistic server 
when responding to requests received from said emulated 
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lata communications network. 

29. A system as in claim 27, wherein the desired 
behaVior is indicative of a presence of an undesirable 
software entity within the software program. 

3 0 X A system as in claim 29, wherein the undesirable 
software N^ntity comprises at least one of a worm or a 
virus . 

31. A system as in claim 29, wherein the undesirable 
software entity comprises a worm that exhibits viral 
characteristics " 

32. A systenk as in claim 27, where the desired 
behavior comprises s^elf -replication , 

33. A system a^v in claim 27, where the desired 
behavior comprises virai activity or malicious activity. 

34. A system as in \claim 27, wherein said monitor 
operates to detect at leasst one of a creation of a new 
file, a receipt of mail, an\ppening of mail, a posting of 
news, an opening of a new socket connection, an execution 
of a particular application, ai^d an alteration of a system 
registry . 

35. A system as in claim 2^ where at least one of 
said emulated host computer and saia monitor are programmed 
so as to provide information about Vhe performance of the 
software program for the purposes of testing, debugging, 
performance profiling, or optimizatic 



36. A system as in claim 27, wheife at least one of 
said emulated host computer and said monitor are programmed 
so as to provide information about the performance of the 
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software program for the purposes of reverse engineering or 
otherwise determining the function and behavior of the 
sofoware program. 

3V . A computer program embodied on at least one 
computeV- readable medium for executing a method for 
elicitingr a behavior from a software program, the method 
comprising, steps of: 

emulating a data communications network having at 
least one emulated network server coupled thereto, 
said at lelast one emulated network server operating to 
respond toVequests received from said emulated data 
communications network; 

emulating a hoist computer coupled to said emulated 
data communications network, said emulated host 
computer executing the software program, the software 
program operating\ to originate requests to said 
emulated data communications network; and 

detecting an occurrence of the behavior in at least 
one of said emulated netWork server and said emulated 
host computer . \ 

38. A computer program as \n claim 37, and further 
comprising a step of emulating at ueast one goat computer 
coupled to said emulated data communications network, and 
wherein the step of detecting an occurrence of the behavior 
detects the occurrence of the behavioAin said at least one 
goat computer . \ 

39. A computer program as in claim 37, wherein the 
elicited behavior is indicative of a \presence of an 
undesirable software entity within the software program. 
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y 40. A computer program as in claim 38, wherein the 
elicited behavior is indicative of a presence of an 
undesYrable software entity within the software program, 
and whterein the undesirable software entity comprises at 
least one of a worm, a virus, or a worm that exhibits viral 
characteristics • 

41. A computer program as in claim 37, wherein the 
elicited behavior comprises self -replication . 

42. A computer program as in claim 37, wherein the 
elicited behavior comprises worm-like or virus-like 
behavior . \ 

43. A computer program as in claim 37, wherein said 
step of detecting^ operates to detect at least one of a 
creation of a new fiile, a receipt of mail, an opening of 
mail, a posting of\ news, an opening of a new socket 
connection, an executVon of a particular application, and 
an alteration of a sysVem registry. 

44. A computer program as in claim 37, wherein said at 
least one emulated networks, server operates as an optimistic 
server. y 

45. A computer programyas in claim 37, wherein said 
method provides information about the performance of the 
software program for the purposes of testing, debugging, 
performance profiling, or optimization. 

46. A computer program as iVi claim 37, wherein said 
method provides information abouo the performance of the 
software program for the purposes o\ reverse engineering or 
otherwise determining the functiony and behavior of the 
software program. y 



